mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
add some security HTTP headers (#5814)
This change adds some security headers like Content-Security-Policy. It does not set the HSTS header because Content-Security-Policy prevents mixed HTTP and HTTPS content and the server does not use cookies. However it is a header which could be added later on. It also moves some header added by #5805 from a vendored file to a generic handler. Fixes ##5813
This commit is contained in:
parent
1f07545e2a
commit
f60765ac93
@ -625,3 +625,19 @@ func (l rateLimit) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
l.handler.ServeHTTP(w, r)
|
||||
}
|
||||
|
||||
type securityHeaderHandler struct {
|
||||
handler http.Handler
|
||||
}
|
||||
|
||||
func addSecurityHeaders(h http.Handler) http.Handler {
|
||||
return securityHeaderHandler{handler: h}
|
||||
}
|
||||
|
||||
func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
header := w.Header()
|
||||
header.Set("X-XSS-Protection", "\"1; mode=block\"") // Prevents against XSS attacks
|
||||
header.Set("X-Frame-Options", "SAMEORIGIN") // Prevents against Clickjacking
|
||||
header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
|
||||
s.handler.ServeHTTP(w, r)
|
||||
}
|
||||
|
@ -59,6 +59,8 @@ func registerDistXLRouters(mux *router.Router, endpoints EndpointList) error {
|
||||
|
||||
// List of some generic handlers which are applied for all incoming requests.
|
||||
var globalHandlers = []HandlerFunc{
|
||||
// set HTTP security headers such as Content-Security-Policy.
|
||||
addSecurityHeaders,
|
||||
// Ratelimit the incoming requests using a token bucket algorithm
|
||||
setRateLimitHandler,
|
||||
// Validate all the incoming paths.
|
||||
|
4
vendor/github.com/gorilla/rpc/v2/server.go
generated
vendored
4
vendor/github.com/gorilla/rpc/v2/server.go
generated
vendored
@ -149,10 +149,6 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
// Prevents Internet Explorer from MIME-sniffing a response away
|
||||
// from the declared content-type
|
||||
w.Header().Set("x-content-type-options", "nosniff")
|
||||
// Prevents against XSS Atacks
|
||||
w.Header().Set("X-XSS-Protection", "\"1; mode=block\"")
|
||||
// Prevents against Clickjacking
|
||||
w.Header().Set("X-Frame-Options", "SAMEORIGIN")
|
||||
|
||||
// Encode the response.
|
||||
if errResult == nil {
|
||||
|
Loading…
Reference in New Issue
Block a user